There’s been a lot of talk about debit cards versus credit cards from a fraud perspective and I think there are a few misconceptions out there that bear further investigation. I don’t use a debit card much so until today I never researched the real differences between debit cards and credit cards from a fraud perspective. Federal Reserve Board Regulation E[3] is the federal regulation that governs Electronic Fund Transfers and includes provisions that makes debit-card transactions instantaneous. Instantaneous means that the money is technically spent from the account the moment the card is used, which is important because your debit card draws from a bank account as opposed to a line of credit.

Why does this distinction matter? It matters because when a transaction is under investigation with a credit card, the charge is generally reversed until it is investigated further. With debit cards, the charge stays on while the transaction is investigated. So, if you have a fraudulent charge, you’re out the money until it’s fully investigated. This often causes a cascading effect where the missing money causes your account to go negative and start incurring fees. It’s not the bank’s fault at this point because it doesn’t know the offending charge was fraudulent and you really have little in the way of a defense to get the fees reversed since your account was negative.

Another difference is that you need to report the fraud within two days of “discovering” the loss (timely fashion), but “discovery” isn’t well defined, and you’ll be liable for up to $50. Any longer and you could be liable for up to $500. Now, some banks offer zero liability but those rules still apply because they’re outlined in Regulation E (§205.6 Liability of consumer for unauthorized transfers[4]).

Regulation E has a lot of good stuff in it if you have a few minutes to kill. For example, § 205.8 Change in terms notice; error resolution notice, outlines how the bank must send you written notification of a change at least 21 days before its effective date. The only exception is a change is required to maintain or restore the security of the account or system, in which case they have 30 days to notify you.